Software Integrity

Fault Injection Podcast .004: Driving automotive software security

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about automotive software security and the future of connected cars.

Robert Vamosi: I’m Robert Vamosi, CISSP and Security Strategist at Synopsys.

Chris: Today, we’re going to be carrying on our discussion about cyber supply chain. This has been a topic we’ve talked about multiple times related to the defense industry and other areas, but today we’re going to talk about the automotive industry and the supply chain, and some of the challenges related to that.

Robert: Let’s start with a little bit of history. When we think of medical devices, when we think of other industries, they’ve had years to ramp up on all of this. Relatively speaking, the automotive industry was quietly going along, not really thinking about software, and then there was this event that occurred in the summer of 2015 where a jeep went off the road and it was remotely controlled.
Suddenly, the automotive industry woke up to the fact that, “Wow. There’s a few million lines of code going on in that vehicle.” Some of that is vulnerable.

Chris: The other thing to take into account is it hasn’t stopped. Even though we have that seminal event that kicked this off, we look at other manufacturers out there. They are starting to see these challenges as well. It’s starting to grow and grow.

Just like what we’ve seen in medical, when we have ransomware attacks that are attacking medical delivery organizations, we’ve seen malware infection. Some other interesting challenges have been coming up recently. The automotive industry is playing catch up. I will say the automotive industry is running fast to catch up.

Robert: I was going to add that. The way in which they’ve embraced the seriousness of this is just remarkable. The way that they are tackling it is inspiring in some ways. They’ve convened various bodies to look at standards. They’ve engaged the software industry to promote and help them get to that next level and they’ve worked with their supply chain.

They’ve always had a tight control over their supply chain. When there’s an auto accident or something, they’re able to go back and say that this part was manufactured on this day and had this problem and in some cases, have to do a recall because of that. Because of that scrutiny of the supply chain, they’re applying that now to the software industry.

Chris: That recall process that you mentioned is a very robust process. When we talk about whether it’s a recall for an individual component in a vehicle or a subsystem of components in a vehicle, it’s very clear which parts there that need to be replaced.

What the process is for going through that in addressing that particular issue. Server adds a new characteristic that we haven’t seen. This is where the industry’s asking for a lot of input and how we could address these particular challenges in these particular issues.

I’m very lucky. I get to work with ISO and SCE, different working groups related to cybersecurity and cyber challenges. There is a wide range of people that are participating in these organizations. Not only the OEMs, but also the tier one and tier two client component manufacturers that provide components to automotive industry.

Every single one of them is asking, “What should we do? Where is the standard? What are the standards that we need to follow?” It has proven to be rather challenging because when we think about these standards, it’s not an issue of, “I need to address the standard for right now.” I need to address the standard that’s going to last for the next five to seven years and also be flexible enough that it can grow with the type of technologies that we’re looking at going into vehicles.

Robert: There’s also a paradigm shift, to use the cliché term, where they focus on the safety of the vehicle. They’re used to regulations. They’re used to standards that focused on the safety of the vehicle. The security part of it hasn’t been in there necessarily, it hasn’t been called out specifically. Are you finding that to be true?

Chris: Yes. That’s why we’ve seen ISO 26262 becomes so prevalent in the industry. When we look at this particular standard, its focus is safety. When we look at J3061, that focus is cybersecurity and how we address that.

The direction that we’re going is how do we merge those two? They’ll never be one single document, but they all work together. When we look at a vehicle, we’re looking at quality, we’re looking at safety, and we’re looking at security, especially as we become more connected.

When we look at a vehicle, the vehicle of 10 years ago that had an engine and it had some ECUs, a couple of controllers to manage that engine in the system in the vehicles, that’s gone. Even in today’s vehicles, we look at very well connected systems, even talking back to the manufacturers or the OEMs so that they can maintain that fleet of the time.

Robert: Perhaps we should step back and explain that a little bit. Unlike other devices that we work with, there’s no homogeneous operating system going on here. There are the electronic controllers that you referred to, the ECUs that are running the anti lock brakes, or the steering column, or even the entertainment system, the heating and air conditioning, all of that.

They’re very separate systems. They use a CAN bus system to communicate with one another, more or less.

Chris: More or less, yeah. They use multiple systems to communicate. It’s not just that one CAN bus, but that’s the one most people are very familiar with and how many that are in vehicles are actually applied.

It’s a very critical sub-system of the overall vehicle, but I think a common misconception for many people is that when they look at a vehicle, each one of these components has its own operating system, and that’s not necessarily the case. We may have an ECU that is running a chunk of code and no true operating system.

It’s performing a very specific action, and performs it very quickly. The ability to subvert that particular component may be more challenging, but it could be used as a pivot point or some other activity within a vehicle to become part of that overall attack.

Robert: Right, and the lack of an overall operating system is actually beneficial, because that speaks to something we talk a lot about in security, which is partitioning or segmenting off different units.

That infotainment unit, which is connecting to the Internet and which is connecting to Spotify and Pandora and whatever, is not necessarily connecting to the steering column or to the anti-lock brakes. They’re segmented because of the design that was—

Chris: And the safety requirements.

Robert: Right, and the safety requirements.

Chris: Well, and that’s where I think standards are starting to make a difference. We’re looking at what are some best practices to implement from an automotive perspective, from a design perspective, and an overall quality, safety, and security perspective.

One of those drivers are these new manufacturers that are coming out. When we talk about what the next generation of vehicle will look like, most people think, “Not GM, not Ford.” They think, “Tesla,” or they think some other new automotive disrupter that’s coming out with some new types of technologies, new looks to vehicles.

That’s where we’re seeing deep integration of different systems and different sub-components in the vehicle. You mentioned Spotify, and we chuckled about that. That’s just the beginning. When we look at infotainment systems, there’s designs that are on the table that don’t even have an infotainment system. It’s all driven via the phone.

When we think about how that’s going to impact the vehicle, how does muting work? How does call forwarding work? How do all these different features that we expect out of a phone, how is that implemented into the vehicle, and how is that implemented for a dispersed provider of cell phone providers? We start to see some real challenges there.

Robert: There’s a whole alliance around the infotainment system itself, the interactive browser part of it. What’s the name of that? GENIVI?

Chris: GENIVI, yes. [laughs]

Robert: GENIVI.

Chris: GENIVI, GENIVI. Everybody has a different way.

Robert: Here you have the tier one and tier two OEMs all participating together, trying to come up with the best practices for the infotainment system in particular.

Chris: It’s not just GENIVI. There’s many of them. We look at automotive grade Linux, specifically focused on infotainment systems. We look at GENIVI for overall systems design and vehicle design from a security perspective.

A lot of that information is a proving ground that’s being moved into the OEM spaces, and we’ll continue to see that. That’s been one of the beneficial parts of working with these groups, getting an idea of what other challenges that they’re facing now, and how do we grow off of those challenges?

When we talk about security, and we’ve joked about this before, we’ve talked about this before in other podcasts. When we look at security today, it’s not what we’re going to be seeing in 10 years. Some of it may still be there. We know that bugs can last for a very long time depending on the operating system and update cycles, but there’s going to be new types of attacks.

When we talk about anti-virus, that’s a joke these days because you can’t keep up with anti-virus. You’re constantly updating. We have to look at new techniques now, and what are those techniques going to be? When we have to consider, I have 100,000 vehicles that are all the same make and model that are on the road.

If we find a vulnerability that allows us to attack, over the air, all those vehicles and disable them all at once—very concerning. How do we start to address those types of issues? I mentioned OTA, “over the air updates”. That’s one of those areas that we’re starting to look at. How do we address the challenges from an automotive and an OEM perspective?

Most of us, when we think about a software update, we think about an update that’s going to happen to our computer. We apply a patch, and we reboot the computer, and that’s the end of the day. We hope that that patch gets applied properly, but when we look at a vehicle, there’s so many interactions between different sub-systems.

Even though they’re from the same OEM, how can I apply those updates? Do I have the space to download that over the air, then apply that update? When do I apply it? Is it while the vehicle is running? Now I have to take safety considerations into play. It becomes very challenging, that perspective.

One thing we haven’t talked about at all is the aftermarket. Many people out there, when they purchase a vehicle, they like to do upgrades.

Robert: Today at security conferences, what you see are researchers attacking the infotainment system in particular. Not surprising because it’s basically a web-kept browser that’s being re-purposed to do a bunch of different things. That’s where we’re looking at today as the entry point.

As you just said, we need to look 5 to 10 years down the road because as we get these connected cars on the road, the road becomes connected to the automobiles. There’s going to be communication back and forth between the stop lights and your vehicle or other vehicles—vehicle to vehicle communications.

That opens another door of vulnerabilities that will need to be investigated. Since we’re five years out, we should be thinking about that today and how we can lock that down with best practices before the vehicle even gets out on the road.

Chris: We should also mention, right now we’re talking about a vehicle. In the future, we’re going to be seeing what’s called training. We all love it when the semi comes barreling down the road and when, “Oh my gosh, he’s right on my tail. I’ve got to get out of the way.”

In the future, it’s very possible you’re going to see a semi or some vehicle similar to that. It’s going to have multiple trailers that are attached behind it that are all driven by that very first trailer and controlling it.

Same thing, we could potentially see from mass transit. We could see that from taxis and other types of vehicles that are out there in order to reduce that computing power necessary to manage a large number of vehicles, especially when we look at very large, very dense areas like San Francisco and New York City. This is going to become very, very important.

Now, as you said, we’re bringing in infrastructure. Traditionally, again, we have that vehicle that’s off on its own. Those days are gone. We have to look at the infrastructure that’s supporting the overall autonomous vehicle—V2X, V2V.

Also, take into account when we’re talking today, we’re usually talking about North America, but this is a global issue. We’re seeing these very same things. I just came back from a trip from China. Excellent trip, lots of vehicles.

The infrastructure is well prepared for upgrade so that we can see this, this type of autonomous control. We can see mass transit being much more efficient in these very congested areas.

Robert: I do know that in Europe, they’re already doing that with the trucks. You call that training where they’re looking at the drag to reduce gas usage. There’s some physical results by having these vehicles chained together. The idea being that they have one driver in the first truck.

Chris: Safety.

Robert: The other ones, the ones that are following, basically take their orders from that first truck. We’re seeing some real world applications of these ideas. The idea of mass transit and taxis is exciting. At the same time, we’re going to have to figure all these out before we implement that.

Chris: Very much so. It’s all about standards. We have to have some robust standards to help address these challenges that we’re starting to see.

You brought up an interesting factor which is fuel economy. When we look at autonomous vehicles, almost all of them are hybrids these days. In some cases, they’re strictly electric. We’re looking at that transition, but we still have this infrastructure challenge to address.

How can I get power charging to be ubiquitous just like gas stations for a wide range of vehicles and being able to support those communications protocols on how do I charge this particular battery versus a different type of battery and a different type of vehicle.

These are all the things that we’re looking at and we’re talking about. Again, I think it’s important to point out from automotive perspective, they are taking this seriously. As a consumer, we should feel pretty good in the aspect that of all the industries that we work with on a regular basis, automotive is super charged in the process.

Robert: I’ve asked you this question before and I’d like to hear the answer again if you could. That is compared to, say, the medical space, how would you compare the automotive industry to the healthcare industry in terms of embracing the need for security?

Chris: That’s an interesting question. It has changed in a relatively short period. When we look at a medical device manufacturer as I indicated the lead times from design to release are typically pretty long.

Robert: So are automobiles.

Chris: So are automobiles. That’s an interesting parallel which is from a medical device perspective, they’re focused on one device. From an automotive perspective, we’re looking at a system of systems.

Hands down, right now, automotive is far ahead of what medical is doing from a cybersecurity standpoint. Even though without having the lead time of regulatory requirements, standards development that medical device manufacturers have had for some time. Unfortunately, we’re seeing that in the news. We see the impact of that.

Robert: Would you think that the automotive response is based on a stunt hack which captured a lot of imagination as opposed to we know some medical devices have failed over time, but those are more quieter attacks. They’re not exactly front page news.

Chris: I think there’s a piece that we don’t take into account. We can draw a parallel to what we do at home. If I’m on my home computer and I’m working on something, then the application crashes or the system starts behaving slowly or something just doesn’t seem right, what do I typically do? I restart the system.

What was the impact? What actually led up to that point? Was it a safety issue? Was it a quality issue? Was it a security issue? For the medical industry, we don’t know. Those devices can’t be tracked. We can’t track that information easily.

In the automotive industry, we have that ability. We have those vehicles that have ECUs. Some of them even have black boxes today that help us collect that information and be more robust over time.

Robert: Actually, all cars past a certain date have black boxes installed in them. That brings up another issue—we’re going to have an interim period. I know in California, you can find a old car driving down the street just because that’s the way it is.

We’re going to have a period where you have these smart cars on the road with legacy cars. This is going to fuel a whole aftermarket explosion of tools to make your ’65 Mustang smart. Foresee any problems with something like that?

Chris: There’ll be plenty of problems. Obviously, there’s going to be a limitation of how smart that vehicle can be. Really what it’ll help address is allowing those smart vehicles to avoid that not as smart vehicle.

We’ll have some standards that help vehicles negotiate what do I do with this older vehicle that doesn’t behave the way I expect it to. As you said, that is going to be an aftermarket. That’s going to be a very popular aftermarket. It’s going to be quite pervasive for some time.

You brought up another interesting point, which is when I purchase a vehicle, we’re talking about classics, right?

Robert: Yeah.

Chris: How many of those who had that old Honda Civic would, 20 years ago, consider that old Honda Civic to be a classic?

It is. By definition, it is a classic. When we start looking at autonomous vehicles and other VW vehicles as they get older, we have to address an important challenge, which is the end of life of that vehicle.

Is it when the warranty expires? Traditionally, no. Is it when a service component in that vehicle is no longer available? I’ll give you an example. Maybe I have a wireless unit in that vehicle that manages communications.

Now, the cryptography is so old or so cumbersome, that vehicle could be used…not necessarily used, but that vehicle could be subverted to acting the way it should. Does that mean that vehicle has to be taken off the road?

We have a whole new set of challenges that we have to think about and plan for when we talk about obsolescence of a vehicle that just has never been considered or thought about today.

Robert: We also have the privacy aspect of it. If I’m putting Spotify or whatever on my car, it’s attached to my account. When I sell that car, what happens to that information? Does the new owner now have access to my account? Do they know my playlist? Do they know where I’ve gone?
The same thing with insurance, too. When you buy a used car, is the insurance industry going to be able to see the legacy of that vehicle? There are lots of privacy questions that are coming by having all of these electronics in the vehicle.

Chris: Especially when you talk about the ability to have something like a Siri or an Alexa in your vehicle. We’ve already seen some court cases where records are being requested.

Robert: OnStar.

Chris: Exactly. We have this type of a privacy issue that’s going to be raised and going to continue to grow in a relatively short period because we’re already seeing a transition to have that.

Imagine a vehicle that has some level of AI or machine learning that when you get into the vehicle, it knows your characteristics. It knows how you drive. Can that information be reported? Can it be purged?

What happens to that when I saw the vehicle or the vehicle needs to be scrapped because of an accident? Is it scrapped immediately, or does that information need to be recorded somewhere?
All questions we’re going to have to answer over a period of time, but these are the things that we’re talking about, working out from a stander’s perspective and an industry perspective.

Robert: Other than you and I having these conversations, anybody looking into that?

Chris: Very much so. In fact, this week, I’ll be speaking at the SAE connected car symposium. This is going to be some of the very topics that we discuss what are the future challenges that we have to think about and how are we going to be able to address those in a realistic time frame?

Most definitely, this is something that is at the, maybe not the foremost of the automotive industry, but from the security and privacy professionals within the automotive industry. This is what we talk about on the regular basis.

Robert: I’ll look forward to hearing more about that.

Chris: Very excited about it.

Robert: As always, we thank you guys for joining us. We’ll be seeing you at our next podcast. Thank you for attending.